Spec & Goals 3 min
AQA Spec 3.6.1.1 — What penetration testing is and what it is used for
By the end of this lesson you can:
- Define penetration testing.
- Explain what penetration testing is used for.
- Describe the difference between white-box and black-box testing.
Warm-Up 5 min
You've met many threats. How does an organisation find its own weaknesses before a real attacker does? It hires someone to attack it on purpose — safely.
Quick starter
A locksmith is paid to try to break into a shop to check its locks. Why is this safer than waiting for a burglar?
Reveal the idea
You find the weak lock first, with permission and no theft, then fix it. Penetration testing does the same for computer systems.
Key Concept — attacking yourself, safely 14 min
Penetration testing ("pen testing") is the practice of deliberately attacking your own system — with permission — to find security weaknesses before a real attacker exploits them.
What it is used for
- Find vulnerabilities — weak passwords, unpatched software, misconfigured access rights, injectable inputs.
- Test defences — do the firewall, anti-malware and access controls actually hold?
- Prioritise fixes — a report tells the organisation what to repair first.
- Reassure — meet security standards and customer expectations.
White-box vs black-box testing
| Type | Tester's knowledge | Simulates… |
|---|---|---|
| White-box | Has inside knowledge — logins, source code, network details. | A malicious insider, or thorough internal review. |
| Black-box | Has no inside knowledge — starts like an outsider. | An external hacker with no special access. |
Worked Example — planning a pen test 12 min
Problem: A KL online retailer hires a tester. Explain what the test should look for and which approach simulates which attacker.
- What to probe: the login (brute force, SQL injection), the network (open ports, firewall gaps), the software (unpatched versions), and staff (phishing susceptibility).
- Black-box first: the tester starts with no access, like a real outside hacker — does the site give anything away?
- White-box next: given logins and code, the tester checks for insider risks and deeper flaws.
- Output: a report ranking each weakness so the retailer fixes the most dangerous first.
Try It Yourself 12 min
Goal: Define penetration testing.
Goal: Give two reasons an organisation would carry out penetration testing.
Goal: Explain the difference between white-box and black-box penetration testing, and which attacker each simulates.
📝 Exam Practice 10 min
Define the term penetration testing.
Mark scheme
- Authorised/simulated attacks on a system to find security weaknesses (1).
Explain why a company carries out penetration testing.
Mark scheme
- To identify security weaknesses/vulnerabilities in the system (1).
- So they can be fixed before a real attacker exploits them (1).
Describe the difference between white-box and black-box penetration testing.
Mark scheme
- White-box — the tester has inside knowledge (e.g. logins/source code), simulating an insider (1).
- Black-box — the tester has no inside knowledge, simulating an external attacker (1).
Recap & Key Terms 3 min
Penetration testing is authorised, simulated attack used to find weaknesses before real attackers do, then fix them. White-box testing uses inside knowledge (simulating an insider); black-box uses none (simulating an outside hacker). It must be done with permission.
- Penetration testing
- Authorised simulated attacks to find and fix security weaknesses before attackers exploit them.
- White-box testing
- Pen testing with inside knowledge of the system, simulating a malicious insider.
- Black-box testing
- Pen testing with no inside knowledge, simulating an external attacker.
- Vulnerability
- A weakness in a system that an attacker could exploit.
Homework 1 min
Task (≤ 15 min): A hospital wants to test its security. Write a short brief explaining what penetration testing is, why it should be done, and why both white-box and black-box tests are useful.
Model answer
Penetration testing means authorised, simulated attacks on the hospital's systems to find weaknesses before criminals do, so they can be fixed. Black-box testing (no inside knowledge) shows what an outside hacker could achieve; white-box testing (with logins/code) reveals deeper flaws and insider risks. Together they give a fuller picture, and a report lets the hospital fix the most serious issues first. It must be done with permission.
Award marks for: correct definition (1); purpose — find/fix weaknesses first (1); white-box and black-box correctly explained (2).